Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Howard_Gyton
Advisor

SCV: Check for domain joined

Hi,

Does anyone know whether its possible to get SCV to check for keys outside of "Software".

We would like to be able to check for domain membership, so our SCV file has the following:

: (RegMonitor
:type (plugin)
:parameters (
:value ("SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Domain>='DOMAIN'")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("This is not a Unit machine. Connection is not allowed.")
:end (admin)
)
)

We would also have the following setting to stop non SCV clients from being blocked:

:allow_non_scv_clients (true)

Which I hope would take care of Macs?

Howard

0 Kudos
3 Replies
Alisson_Lima
Contributor

Hello Howard,

 

You can use the RegMonitor for block machines out of company domain. I made this same configuration in this week, the parameters configured were:

(RegMonitor
:type (plugin)
:parameters (
:string ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\MachineDomain=yourdomain.com")
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("You message for users")
:end (admin)

Don't forget configure this policy in SCVPolicy field. About macbook, according sk110975 you cannot use SCV file for macOS systems. If necessary, you have to use Compliance Blade prior to VPN connection.

Note to use Compliance Blade is necessary an adittional license for management server.

Thank you, good luck!

Alisson Lima

 

0 Kudos
Howard_Gyton
Advisor

Hi Alisson,

I noticed my schoolboy error myself this morning. I had cribbed an entry from the support site that was checking the value of an integer and not a string, and should have had "=" and not ">=".  It was weird in that when I manually malformed the domain string in the registry that it triggered non-compliance, but didn't block traffic and never switched back to compliance.

It's working quite well for me now, thanks.

Classic case of RTFM! 🙂

One thing I did notice is that on the firewall itself, and the copy of "local.scv" that it has there is an extra line in the section that contains the checks you wish to enforce.

:SCVPolicy (
: (RegMonitor)
: (ckp_scv)
)

I didn't add this but it does have its own section in that file.

: (ckp_scv
:type (plugin)
:parameters (
:protect_all_ifc (true)
:non_ip_protocols (true)
:send_log (true)
:send_warning (true)
)
)

Not sure why that got enabled.

Howard

0 Kudos
Prabulingam_N1
Advisor

Dear Alisson,

 

I had tried this setup for my customer and noticed the below situations.

1) Non Domain computers where RA VPN client (latest E82.40 installed) able to connect GW and able to access internalresources.

  Also it shows "Compliant"

2) Domain computers where RA VPN client (latest E82.40 installed) Unable to connect GW , shows Compliant error.

 

The result looks for me is exact opposite which I had configured in SCV file for Registry

 

Any idea,

Regards, Prabu

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events